Self-inSpection handbook - CDSE

Self-inspection handbook

for nisp contractors

Center for Development of Security Excellence

Defense Security Service | May 2016

Self-Inspection Handbook for NISP Contractors

TABLE OF CONTENTS

The Contractor Security Review Requirement ............................................. 2 The Self-Inspection Handbook for NISP Contractors................................... 2 The Elements of Inspection ...................................................................... 2-3 Self-Inspection Process ............................................................................ 3-7 Self-Inspection Checklist ............................................................................. 8

ELEMENTS OF INSPECTION

A. FACILITY CLEARANCE (FCL) ...................................................... 9-10 B. ACCESS AUTHORIZATIONS...................................................... 10-12 C. SECURITY EDUCATION............................................................. 12-15 D. CONSULTANTS ............................................................................... 15 E. STANDARD PRACTICE PROCEDURES (SPP) ............................... 16 F. SUBCONTRACTING ................................................................... 16-17 G. VISIT CONTROL .............................................................................. 18 H. CLASSIFIED MEETINGS ............................................................ 19-20 I. CLASSIFICATION ....................................................................... 20-21 J. EMPLOYEE IDENTIFICATION ......................................................... 22 K. FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE (FOCI) .. 22-24 L. PUBLIC RELEASE ........................................................................... 24 M. CLASSIFIED STORAGE ............................................................. 25-27 N. CONTROLLED ACCESS AREAS ................................................ 28-30 O. MARKINGS.................................................................................. 30-31 P. TRANSMISSION.......................................................................... 32-34 Q. CLASSIFIED MATERIAL CONTROLS......................................... 34-36 R. REPRODUCTION........................................................................ 36-37 S. DISPOSITION.............................................................................. 38-39 T. INFORMATION SYSTEMS (IS).................................................... 39-54 U. COMSEC/ CRYPTO ......................................................................... 54 V. INTERNATIONAL OPERATIONS ................................................ 55-60 W. OPERATIONS SECURITY (OPSEC)................................................ 60 X. SPECIAL ACCESS PROGRAMS (SAP) ........................................... 61 Y. INSIDER THREAT PROGRAM.............................................61-67

INTERVIEWING EMPLOYEES

General Interviewing Techniques ................................................................ 4 Suggested Questions When Interviewing Employees............................... 5-7

May 2016

1

Self-Inspection Handbook for NISP Contractors

SELF-INSPECTION HANDBOOK FOR NISP CONTRACTORS

The Contractor Security Review Requirement

"Contractors shall review their security system on a continuing basis and shall also conduct a formal self-inspection, including the self-inspection required by paragraph 8-101h of chapter 8 of this Manual, at intervals consistent with risk management principles." "These self-inspections will be related to the activity, information, information systems (ISs), and conditions of the overall security program, to include the Insider Threat program; have sufficient scope, depth, and frequency; and management support in execution and remedy." [1-207b, 1-207b(1) NISPOM]

The Self-Inspection Handbook for NISP Contractors

The National Industrial Security Program Operating Manual (NISPOM) requires all participants in the National Industrial Security Program (NISP) to conduct their own self-inspections to include an insider threat self-assessment. This Self-Inspection Handbook is designed as a job aid to assist you in complying with these requirements. It is not intended to be used as a checklist only; rather, it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company. You will also find we have included various techniques that will help enhance the overall quality of your self-inspection.

Purpose of a Self-Inspection

Self-inspections provide insight into your security program. It provides you an opportunity to look at the security procedures established at your company and validate that they not only meet NISPOM requirements but they are being effectively implemented by your cleared employees.

This is your chance to take an honest look at what your company is doing to protect our national security: to see what is working, what is working well and what you may need to change. Remember you should not be conducting your self-inspection just because the NISPOM requires you to. You should be conducting your self-inspection to ensure the continued protection of our national security, our country, its citizens, and most importantly our military service men and women.

The Elements of Inspection

The Self-Inspection Checklist contained within this handbook addresses basic NISPOM requirements through a series of questions arranged according to "Elements of Inspection." It is important to know that not all "Elements of Inspection" will apply to every cleared company. Before beginning your self-inspection, it is recommended that you review the "Elements of Inspection" to determine which ones are applicable to your facility's involvement in the NISP. Then use those elements to customize a self-inspection checklist unique to your security program.

There are seven "Elements of Inspection" that are common to ALL cleared companies participating in the NISP and should be incorporated into your customized self-inspection check list: (A)

May 2016

2

Self-Inspection Handbook for NISP Contractors

Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (G) Classified Visits, (I) Classification, (K) FOCI, and (Y) Insider Threat. Any remaining elements need to only be covered if they relate to your security program. If you have questions about the relevancy of any element of inspection for your facility, please contact your Industrial Security Representative (IS Rep) for guidance. A look at your Standard Practice Procedure (SPP), if you have one, may also provide clues. Of course, as your program becomes more involved with classified information (e.g., changing from a non-possessing to a possessing facility), you will have to expand your self-inspection checklist to include those additional elements of inspection. Also remember that not all of the questions (requirements) within each element may relate to your program. Since each question includes a NISPOM paragraph citation, review each requirement against the context of your industrial security program. If your involvement with classified information invokes the requirement, your procedures should comply with it and your self-inspection should assess your compliance. Reading all questions in the relevant elements of inspection will help you become more knowledgeable of the NISPOM requirements. In all cases, the regulatory guidance takes priority over company established procedures.

Self-Inspection Process

To be most effective, it is suggested that you view your self-inspection as a three-step process rather than an event: 1) pre-inspection, 2) self-inspection, and 3) post-inspection.

1) PRE-INSPECTION.

So that you are fully prepared for your self-inspection, you want to start by conducting your preinspection research: 1) identify all security elements that apply, 2) familiarize yourself with how your company's business is structured and organized (it may have an impact on your company's security procedures), 3) identify who you will need to talk to and what records you may want to review, 4) prepare a list of questions and topics that need to be covered, 5) know your facility's physical layout (i.e., where the classified material is stored, worked on, etc.), 6) identify the current threats to your company's technologies, and 7) have a basic knowledge of your company's classified programs.

Remember, your primary sources of information during your self-inspection are your documents and people. Take the time to adequately prepare yourself by reviewing documentation you already have on-hand. This includes the results of your last DSS security vulnerability assessment, your current DD Form 254s and classification guides, any recent company press releases or publications, your company web-site, any security records you may have on hand, and the JPAS records for your cleared employees.

Once you have completed your pre-inspection research, your next step is to set the date to conduct your self-inspection. Once your date is established, meet with your senior management team so they can understand the importance of your self-inspection and provide the support you need to be effective. Also take the time to meet with program and department managers to let them know what support you might need from them during the self-inspection process. Finally, make a formal announcement so that your employees will know what to expect.

May 2016

3

Self-Inspection Handbook for NISP Contractors

2) SELF-INSPECTION.

The self-inspection process includes gathering information about each of the inspection elements that apply to your company's classified involvement. Your job as the FSO is to verify and validate that your facility security program is in compliance with applicable NISPOM requirements and that all classified information entrusted to your company is adequately protected. To do this, simply review the self-inspection questions against the appropriate documentation (including your classified information) and the people (including their actions) involved in the facility's industrial security program. This is where the self-inspection checklist comes in handy. It not only provides you with the NISPOM requirements, but organizes them into elements of common security concern. These elements should not be viewed independently during your self-inspection, but interdependently, as it will become obvious to you that they frequently interrelate.

During the self-inspection, you want to ensure that you take the time to explain the selfinspection process and what is to be expected to each employee you interview. This may be their first time going through any type of inspection; people tend to be reluctant to provide information when they don't know why they are providing it. Don't limit yourself to just talking with your employees. Look at their processes, have them demonstrate what they do when working with classified information, spot check documentation, and inspect security equipment to include any Intrusion Detection Systems (IDS), Information Systems (IS), and security containers that they have access to or are responsible for.

A quality self-inspection depends on your ability to ask questions and listen to the answers you receive. They may identify security problems you would otherwise not be brought to your attention. Seek information about current procedures and changes, which could affect future actions. Get out of your office and into the working environment. Check security records, test security systems, and most importantly talk to people!

There are certain titled employees you may want to target for interviews during your selfinspection to include your key management personnel, both your cleared and uncleared employees, the webmaster, program managers, human resources personnel, contracts personnel, the receptionist, and mailroom personnel to name a few.

Here are some general interviewing techniques and questions to assist you in conducting quality interviews during your self-inspection:

General Interviewing Techniques

o All questions should be asked in the present and future sense.

o Talk in a conversational tone and maintain eye contact.

o Let people tell their story. Ask open ended questions (using who, what, where, when, why,

and how).

o Avoid leading questions.

o Let people show you how they perform their jobs that involve compliance with a security

program requirement.

o Follow-up the checklist questions with your own questions.

o Keep good notes for future reference and document corrective actions.

May 2016

4

Self-Inspection Handbook for NISP Contractors

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download